Bug 243388

Summary: www/npm: Update to 6.13.4 - < 6.13.4 vulnerable to multiple vulnerabilities incl. arbitrary file write
Product: Ports & Packages Reporter: volker77
Component: Individual Port(s)Assignee: Sunpoet Po-Chuan Hsieh <sunpoet>
Status: Open ---    
Severity: Affects Many People CC: pizzamig, ports-secteam
Priority: Normal Keywords: needs-patch, security
Version: LatestFlags: bugzilla: maintainer-feedback? (sunpoet)
pizzamig: maintainer-feedback+
koobs: merge-quarterly?
Hardware: Any   
OS: Any   

Description volker77 2020-01-16 11:35:20 UTC
Please see advisories for details:

https://www.npmjs.com/advisories/1437
https://www.npmjs.com/advisories/1436
https://www.npmjs.com/advisories/1434

These also seem to affect yarn, so this may have repercussions for all / most NodeJS related ports.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-16 11:48:34 UTC
Thank you for the report

^Triage: CC www/yarn maintainer and request feedback
Comment 2 Luca Pizzamiglio freebsd_committer 2020-01-20 08:46:34 UTC
there no CVE filled for yarn. It's a npm issue only.
Comment 3 volker77 2020-01-20 10:16:58 UTC
(In reply to Luca Pizzamiglio from comment #2)

This looks very much like at least a related issue, given timing and nature of the fix:

https://github.com/yarnpkg/yarn/pull/7755